Post navigation

Founders on Fire: Nathan Burke, CMO, Axonius

Posted by Jon Howell | 24/04/20

Today we have the chance to catch up with one of our runners-up in this year’s Security Trailblazers category. Nathan Burke, CMO at Axonius, talks to Chief Trailblazer Rose Ross about how awards, and the recognition they bring, can be vital for any startup that’s trying to stand out in the crowded security space.

He also describes the honour (and pressure) of having to present at the RSA Innovation Sandbox contest at the last minute. Plus he introduces us to CybersecurityCares, a valuable resource for security professionals in these difficult times. Listen to the full podcast at:

YouTube

Spotify

Anchor fm

Interview transcript

RR: Welcome everybody to the Founders on Fire podcast from the Tech Trailblazers. I’m Rose Ross, I’m the chief Trailblazer and founder of the Trailblazers, and I’m delighted to welcome yet again, Nathan Burke, the CMO of Axonius who were our runners-up in the Security Trailblazers this year. So, welcome Nathan!

NB:
Thank you for having me.

RR: Again!

NB:
Again.

RR: I think we will name this, ‘The New York so good they recorded it twice’ episode.

NB:
A very well-prepared episode.

RR: Yes, well, a dress rehearsal and everything yesterday, so no excuses.

NB:
That’s right.

RR: Well, welcome again. Obviously, there are a few things that I would like to run through with you, so if we can kick off with just a description about Axonius, what it’s all about, and where you fit in the cyber landscape.

NB:
Sure, happy to. We say that what we do is cybersecurity asset
management, and I think we also qualify that by saying that asset
management is the least sexy part of cybersecurity, and in fact we’ve
called ourselves the Toyota Camry of cyber security. What we mean is
there’s a lot of really cool, high tech
sci-fi technologies out there in cyber security, and in fact when you
think of the word ‘cybersecurity’
you’re probably
thinking The Matrix and all those really cool technologies, and what
we do is something very, very simple, and we’re
trying to solve a problem that’s been
around for 30 years, and that’s asset
management.

The idea is, even though it’s 2020 and we have these really cool tools, companies out there are still struggling with understanding what they have. So what kind of devices, what kind of cloud instances, and what users they have, much less how to secure that. So our whole idea is, you’ve already got all the information of all your devices, and your users, so why not just grab all that information from all the different sources, correlate it together to show you exactly what you have, so then you can tell whether or not everything is secure.

So,
we do something really, really simple, but it’s
very foundational and I think it’s part
of any security programme, if you’re
going to secure something, you’d better
know what you have.

RR: Yes, absolutely. So, I think as you described it previously, the unsexy part of cybersecurity.

NB:
Yes.

RR: Cool, so let’s look forward. Obviously, we know each other from your previous existences, and you had one of your previous companies Hexadite, which was acquired by Microsoft, that also found success with us. You’re a startup veteran, I think, now you were saying, your third cybersecurity startup now with Axonius. What would you say are key moments in your journey as a startup? And what have you found that’s particularly challenging, or that you’re particularly proud of? I’m sure actually you can answer both of those, which one has been challenging, and what you’re proud of.

NB: Yeah sure. So, like you said, this is my third cybersecurity startup, and my fifth overall startup. So I’m a glutton for punishment I guess, and every time I do it again I start from scratch, and I’m saying, “Why did I do this?” But I love it and I think the easy one to say about what I’m particularly proud of, is winning the RSA Innovation Sandbox with Axonius last year, we’ve talked about this already.

RR: Yes, behind coming second in the Tech Trailblazers, that kind of…

NB: [Laughs] Right, right, yeah second place was good. So, I think the takeaway there is, and I think this is important, is that although it seems like it’s just a vanity thing, awards and recognition really, really matter. Just to go back to the Innovation Sandbox, I’ll tell a quick story of it. For those of you that don’t know, RSA Innovation Sandbox is the top award for startups in cybersecurity, they award the most innovative cybersecurity startup of the year. The RSA conference is like 40,000-50,000 people there, each year they pick 10 companies, those 10 companies have to go on stage and give their best three-minute pitch to a room full of a few thousand people, and a panel of experts as judges. So, you give a three-minute pitch, it can’t go over by a second. So 10 companies give their three-minute pitch, they pick two finalists, and then they pick a winner. So, to do this, as you can imagine there is a tremendous amount of preparation involved.

Actually, I’m going to back-up, I tried to get into the Innovation Sandbox when I was at Hexadite, didn’t get in. I tried my first year at Axonius, didn’t get in. So, it took a few times to get in, and then in 2019 we’re named one of the 10 finalists. So, we go through all the preparation and building our best three-minute pitch, rehearsing it over and over and over again. I get to RSA a day early because I’ve got to set up the booth and make sure everything’s fine, then I get a call at midnight from our CEO who was the one that was supposed to give the pitch, saying, “We’ve just had a snowstorm in New York, and my flight’s cancelled. You’re going to have to do it”.

RR: Oh oh, no pressure there for Nathan.

NB:
No pressure! No pressure. Luckily, I was the one that put the deck
together and rehearsed the pitch for them, so I just had to change it
a little bit to make it more my own. But then we gave the pitch, we
were named the finalists, and it was between us and a company that
does homomorphic encryption. So, think about that, the unsexy startup
versus someone doing something that is right out of a sci-fi movie.
They picked us as the winner, and man, you could see at that moment,
you can watch my knees buckle when they named Axonius the winner.

That
really changed everything for us, because from that moment on we went
from someone that no-one had ever heard of, to getting calls from
Fortune 500 companies saying, “I need you
to meet with us right now and give us a demo, drop everything”,
and I in fact kicked out our advisory board from our meeting room,
and said we’ve got to go meet with this
customer. Then for the first time, and probably the only time in my
career I had our sales leader say, “I
can’t keep up with the volume of leads,
you’ve got to stop this”,
I actually marked that on my calendar. So, that was by far the moment
I was most proud of, just watching that all come together, all the
preparation, then seeing the customers coming to us. Overwhelming a
sales team is the goal of any marketer right!

RR: Because they never say there’s too many leads, they never say that.

NB:
They never ever say that.

RR: Never say that, that is definitely a red letter day. So, I hope you phone them up a year later and go, “Remember this time last year?”

NB:
Yes, exactly, exactly. So, I think that’s
a high point, and then the other side of that, the challenges, yeah
there’s been a lot of them. I think one
of the things that was a big challenge in my last two cybersecurity
startups is that we were way ahead of the market. So, my first one
was a company called CloudLock that Cisco bought, we were one of the
first CASB solutions, before CASB was a category. I remember standing
in a Gartner booth at the Security & Risk Symposium, explaining
what we were doing, protecting data in the cloud. I very vividly
remember people walking up and saying, “Wait
a minute, put my data in the cloud, are you kidding me? I’ll
never ever do
that”. So, it was just way ahead and it
felt like pushing a rock up hill.

And
then my last one, Hexadite, we were a source solution before that was
a category, and only the more sophisticated companies out there want
to automate their incident response and trying to get through alerts.
So, that was the same thing, we were way ahead of it, so it was a lot
of evangelising and a lot of really trying to get people to buy the
fact that this was a problem that was worth solving. And so that one
was hard, and this one’s very different.

I
think in every case there are big challenges. In this one right now
at Axonius, it’s kind of nice because
everyone identifies with the problem, the challenge here is letting
them know and making them believe that there is a real solution,
since they’ve been sold potential
solutions for 20 years. So, in every one of those cases there are
unique challenges, nothing is easy.

RR: Well, it’s good to have a challenge I find.

NB:
Oh of course.

RR: You just have rise to it. So, what words of encouragement would you give to a company weighing up whether to enter the Tech Trailblazers?

NB:
Again, I think awards and recognition is really important. The reason
why, let’s just take it from the most
basic level, there are thousands of companies out there…

RR: Something like 15,000 cybersecurity, if you look at something like that.

NB:
Yes, let’s just take it from the
cybersecurity perspective, forget about the broader audience. I did
the maths one year, and I wish I had done it today, but I looked at
it in a number of companies exhibiting at something like an RSA. It’s
physically impossible for every person there to go visit each booth
even for a minute, there’s just not
enough time to do it.

RR: But even in the startup zone there’s over 100, I think.

NB:
Yes, and that’s the idea is that all of
these, there’s just so many of them, and
if you just walk through the booths it’s
all competing messages. Everyone says they prevent everything, then
they detect everything, and they remediate everything, which by the
way you can’t do all three things,
they’re kind of at odds, right. But with
a crowded market, with a lot of noise, just imagine being on the
other end and being someone that’s
looking for a solution, you just don’t
know where to turn. You can’t figure out
who to believe. So it’s also the fact
that any marketer can say anything about what they do, without any
proximity of the truth.

One
of the ways that you have some filter criteria as an end user looking
for solutions, is that idea of social proof. It’s
things like customer testimonials, someone that’s
willing to put their name behind a product. Then there’s
also things like industry awards, and I think it’s
really, really important because everyone is just trying to filter
out some number of solutions that they’re
not going to look at. There’s just not
enough time in the day to look at everything. So you look at things
like all the awards and the recognition that a company has, it’s
really important and especially when you’re
just coming out of that – not even
stealth mode, but just no-one knows about you yet. So, awards,
recognition, customers, anyone that’s
talking about you that isn’t you is
incredibly important, and we’ve done a
lot of awards and it’s been really
valuable to us.

RR: Do you think that is going to change? We feel that cybersecurity or otherwise are going to be facing a very difficult six months. Obviously some of those will fall by the wayside, but there is a natural fallout from that environment. But I would say that cybersecurity is going to be the healthier of the areas in enterprise technology. I think there are going to be some great winners in consumer tech, and a lot of losers in consumer tech from a startup perspective. Do you see your strategy changing around entering awards, or do you think this is the better time now where you’re facing even more challenges potentially?

NB:
I don’t see it changing, I think we’ll
still do them. One thing I didn’t mention
which I think I should is, even if you don’t
win, I think it’s a great forcing
function to sharpen your message, because a lot of these have
requirements that are like you can only do a three-minute pitch, or
you only have this many characters in your description. I think it’s
a great exercise anyway because it’s
really easy as a marketer to just throw the kitchen sink at anything,
and say, “Here’s
all of the things we do”, but it forces
you to really figure out what’s important
and what makes you different, and even if you’re
never going to win anything, and you come away with a way of talking
about yourself, the idea of the elevator pitch, or just something
that’s really succinct, that’s
valuable in itself, and I would say do it anyway.

That’s
the other thing, we are all so busy all the time anyway, you never
get to that. You’ll never say stop
everything on the lead generation front, and let’s revise our message
and try to get it more succinct and concise. No-one is going to do
that, but if you’re trying to submit for
something, now you have a reason to do it, and that’s
the trigger for spending the time and effort there. So, even if you
never win anything it is absolutely valuable to go through that
exercise.

RR: Well certainly we’ve been looking at ways we can sharpen things and be more supportive, because we’ve always said it isn’t just about getting an accolade per se. It’s about getting your name in front of CSOs, CIOs, analysts, journalists, people who would not see you otherwise, who are influencers, so people like Stephen Foskett. We’ve got Carrie and Dave who are both CSOs here in Europe, Stephen O’Donnell who is also a CIO over here. So to have been shortlisted you have had to have captured their imagination, and impressed the people who are looking at your entry. Moving forward, also looking at how we can engage with the public more, as in the enterprise technology professionals outside of Axonius’s friendship circle, so that we can say, “Look, these are interesting companies, and we’d love you to have a closer look and vote, and hopefully then also engage with you if they think that what you’re doing is of interest and of value to them”, which hopefully it will be, right?

So, are there any tips you would give? You’ve talked about looking at honing your message. What other tips would you give companies who are entering the Tech Trailblazers, or any other awards?

NB:
It’s a really good question, and I’ve
thought a lot about this. I think one of the biggest hiccups, and the
biggest things that we do as marketers, and I mentioned that a little
bit before, is we’re living our product,
we’re living this day-to-day. I feel like
almost everyone thinks, “If I just had 10
minutes with everyone in the world, and told them everything this
thing has, every feature, how awesome this is, then we’d have every
customer in the world. Because of that we end up just blurting out
every feature and function of our product, and we don’t
think about the problem that it’s solving, we don’t
think about how it’s different from
anything out there. We don’t think about
the people that are living the problem that we’re
trying to solve and how they think about it.

When
you’re coming up with any award
submissions, or really anything that’s
aimed at someone that has never heard of you, and may not be thinking
about it in your terms, I think it’s one
of those things where you have to think about your audience. So, when
you’re submitting for an award, you’ve
got to think that the person who is reviewing that may not have any
idea what incident response is, or what asset management really
means, or any of these things. So, you really need to figure out how
to say it in a way that makes it the trailer to the movie, and that’s
the way I think about it, is you’re not
going to convince someone, and you’re not
going to educate them enough so that they can actually do a demo of
your product in an award submission. So, what you want to do is just
come up with something that tells the story about why there’s
a problem, what is different about the way that you’re
approaching it, and how it stands out from the thousands of other
startups out there, or other companies out there that are saying the
same thing.

So, one of the things that we did, and I mentioned it earlier when we were doing the Innovation Sandbox, was talking about the least sexy problem in cybersecurity, the Toyota Camry of cybersecurity. These were conscious decisions not just to be cute, but you need to have something that sticks in someone’s mind. After we won the Innovation SandBox I had people walking by saying, “Oh yeah, you guys are the unsexy guys”. I was totally fine with that because other than that it would have meant no recognition whatsoever. So, I think having something that sticks out of your mind, making a claim that you can support, but at least being a little bit bold is really, really important. You have to do something that stands out, and I don’t mean do some kind of marketing gimmick, or something that is just out there for the sake of being out there. But I think it’s okay to make a bold claim if you can support it, and you have to have something that sticks in their mind, or else you’ll be forgotten just like everyone else.

RR: Yes, stand out from the crowd, and it’s a pretty crowded place with 15,000 startups, aside from what the bigger vendors are doing. So yeah, good stuff.

Now obviously we’re in a very, as the Chinese say, “interesting time” at the moment, perhaps more challenging than any of us have ever experienced in our work lives; what advice in general would you give to startups who are looking to not just survive but thrive, in this economic climate?

NB:
I’m going to give an answer, and then I’m
going to give a reason why. I want to have a little caveat out there.
So, my answer is, experiment; so what better time than right now to
try new things? When I was thinking about it, every marketer out
there, because there are no events right now, and because there are
no face-to-face meetings, everyone is just saying double down on
digital, do more ads, do more webinars, do more of those things.
That’s fine, and you should, but that’s
what everybody else is doing too, and if you look at your inbox
you’ll get tons of invites to webinars,
there’s more LinkedIn ads than ever
before, so everyone’s doing the same
thing, so how do you stand out and how are you different?

I
kind of reverse engineered something and had an idea that I wanted to
try. My thought was everyone is doing all these campaigns that
requires end users, or viewers, or whatever you want to call them, to
sign up for something, to register, to give their information in
exchange for viewing content. My thought was, what if we did exactly
the opposite of that?

So,
just giving the example through Axonius, we have a lot of people that
go to our webinar, sign up for our content, download stuff, but
they’re not necessarily ready to say “I
want a demo”. To me, “I want a demo” means, I’m
willing to get on the call with the salesperson, get a ton of emails
from people like me, and hounding me all day long. So, the bar is
pretty high there, I had better be pretty ready to buy before I’m
ready to do that. All of these other people have indicated some
interest in Axonius, but they’re probably
not ready yet, they haven’t seen the
value enough to say, “Alright, get me on
a call with a salesperson, I want to see the product”.
So, I came up with this idea of, what if we did what I was calling an
invisible webinar, and it’s important
that I call it that, I’ll get back to it…

NB:
You can probably see where this is going. So, the idea was instead of
having anyone register, we just promoted this webinar that was going
to be a live broadcast, just the same thing we would do on a sales
demo except I’m just doing the full-on
demo, anybody can see it without having to register. They just go to
a page on our site, we embed the live webinar, anyone can see it,
anyone can chat with us anonymously, we don’t know who is on the
other end, and the call to action is if I’ve
convinced you that there’s enough value
here, sign up for a real demo.

So,
went through it, it’s a little bit
complicated because you have to do a Zoom webinar, which then
broadcasts to YouTube Live, and then YouTube Live is embedded on your
site, so a little bit complicated. But we ran through it, practiced
it, even recorded it, I swear I did this at least 15 times no joke,
and I was prepared as I could possibly be. On the day of the webinar
I signed in early, I do the same process I’ve
done 15 times, and for whatever reason right then and there when we
were about to go live, it just didn’t
work. I got all these errors from YouTube, and these were errors that
were like, “Your screen resolution is
wrong”, and I’m
arguing with YouTube saying, “No it’s
not, there’s nothing different! It’s
exactly the same”. But that argument
didn’t really do anything because nothing
worked.

So,
I had to scramble, I had 200, or something like that, people on the
live thing just waiting for it to start, and then I started getting
the emails saying, “Well I guess this
webinar is extra invisible”. So, we
scrambled and, since I had the recording, I dumped the recording on
that page and sent an email to everyone saying, “Hey,
I’m sorry it didn’t
work out, here’s the recording. Serves me
right for calling it the Invisible Webinar”.
So that didn’t work out. Then I just shot
a quick video on LinkedIn admitting my errors! But then the result of
it was unbelievable, I started getting emails from people, from
companies that would have never emailed me or wanted to talk, saying,
“Hey I understand, this happens, it’s
technology. I’ll checkout the recording”,
or some people even saying, “I looked at
the recording, I want a demo”. So,
although it was a miserable failure operationally, it actually worked
out, and in the end I think people empathised, everyone’s
had technology problems. But it’s just an
example of something where we want to be willing to try new things,
and even if they don’t work out, I’d
still do it again. Call me nuts, but I’m
going to do it again.

So,
that’s a long way in giving an example of
the idea of just try new things right now, because you’ll
never be able to do this again. In an environment where all marketers
are doing the same thing, the people that stand out are the ones that
are going to get some kind of exponential returns.

RR: So, this is a chance to do the survival of the fittest.

NB:
Yeah, and don’t be afraid of it. I think
a lot of companies out there, or marketing departments say, “We
embrace failure” or “We
want to try new things”, but it’s
one thing to say that, it’s another to do
it.

RR: Yes, those are brave words said by people who aren’t anticipating it’s going to happen. That’s cool. So, anyway, we chatted before recording the podcast about some stuff that we might… I wouldn’t say it’s collaboration, but shall we say we’re going to recycle something that you’ve been working on, and broaden out. So, could you tell everybody a little bit about Cybersecurity Cares, which has come up over the last couple of weeks, and was an initiative that you came up with, which was quite an interesting story in itself, where this eureka moment happened.

NB:
I think this is another example of experimenting on something, and
just trying new things right. So, a few weeks ago when all of this
stuff started, and I won’t name it by
name…

RR: It’s the Voldemort thing.

NB:
That’s right, exactly. I woke up really
early, like 4am, on a Saturday and I just wrote a blog post. I think
I called it, “Things are going to be
weird in cybersecurity for a while” and
all I did is I brought together a bunch of resources. I’m
thinking now that everyone is working from home, why not grab a bunch
of things, like charities worth donating to, free tools that again in
my world of cybersecurity, that cybersecurity professionals can use
to help secure their newly remote workforce, and finding free offers
from vendors that have commercial products, but are offering it free
during this time with certain limitations. Now that we have people
that are at home with their kids at home, and we’re
now all home school teachers, where can you find resources on how to
teach your kids, and where to find resources, even webinars, and all
of these things. So, I just grabbed these all together and put it in
a blog post, and I didn’t really think
much of it. I posted it on LinkedIn, and it just blew-up.

There
was I think over 10,000 views of it on a weekend! I couldn’t
believe that. And then on that Monday during my team meeting, I said
to my team, “What can we do to make this
bigger and better, and not just about Axonius? I think having
something that’s not just on the Axonius
site is going to be an awful lot better”,
and so we came up with this idea of cybersecuritycares.org. We built
a site in about a week and a half that does just that; that grabs all
of these resources that can help cybersecurity professionals that are
now at home trying to secure their remote workforce, that are now ad
hoc home school teachers, and people just looking to learn.

So,
we put all these resources together and once we launched it, we
allowed anyone that shows up to the site to either submit things like
news stories, any offers that their company has for people during
this time, free tools, any online events, anything like that, and
we’re just putting it together in a site.
The idea is it’s just to be helpful and
valuable, and nothing other than that. You have to hunt around to
find any mention of Axonius whatsoever. And the idea is we just want
to put together something that’s useful.
We got some pretty good response out of it, and a lot of people are
submitting resources there too, and so the idea is to try to bring
that to a larger audience through what you’re
doing as well.

RR: Cool. Well, you’ve inspired us to kind of broaden that somewhat to the wider Tech Trailblazing community, and look at what your alumni are offering other startups, and also bigger players, because we don’t want to make them feel that they can’t play with the startups as well. The Tech Trailblazers resources will be hopefully going live very soon, if not, hopefully depending on when people are listening, it will already be live. So, yeah it’s a tough time, but I think we all need to be resourceful and think about the community element of it, which I’ve always felt cybersecurity has been a very open community in many ways, which I’ve always found very interesting to begin with, that all of these very high-profile cybersecurity individuals were on Twitter, chatting about all sorts of interesting stuff! You go, “Well, this is not what I would expect”. So, obviously we’ll be looping back round with that.

Is there anything else that you’d like to share Nathan, because obviously we did do a kind of dress rehearsal yesterday of this, and I think we covered a lot of what you’ve shared today, but I’m just thinking is there anything else come to mind that I haven’t asked you about, but you’d like to share?

NB:
No, I think we’ve covered it all and I
just want to end on what you said there about the cybersecurity
community. It’s funny, because when you
think about it you think of people in cyber security being kind of
gruff and thorny, and instead they’re
willing to share, because when you think about what cyber security
actually is. It’s not something that’s
done on an individual company basis, it’s people that are trying to
protect the same kind of information, regardless of what company
they’re at, or what organisation, or even
what role, so collaboration is such a huge part of what they do. I
think you have to be collaborative by nature.

If
you look at anything in cyber security, there’s
a lot of value in understanding what’s
worked for other people, and what doesn’t
work, and so they’re an incredibly close
community of people that share a lot of information. I just love
being a part of it, and after three of these and talking to hundreds
if not thousands of security practitioners, there’s
nowhere I’d rather be, and I’m
going to stay in this for the rest of my career, for sure.

RR: Fantastic, it sounds great. Well thank you very much for joining us today Nathan, it’s been an absolute pleasure.

Nathan has been here on the Founders on Fire podcast from the Tech Trailblazers, and yeah, we hopefully will be welcoming you back at some stage in the future, to talk about how things have progressed. Thank you very much, cheers.